Compliance with
Section 404 of the Sarbanes-Oxley Act of 2002 (SOX 404) for many
public companies is in its fourth year. Has your SOX 404 compliance
program become any easier, cheaper or faster today than in the first
three years?
Time after time,
when we meet with financial executives around Wisconsin and the rest
of the Midwest, the discussion inevitably leads to making the SOX
404 compliance process more cost effective. As many companies
learned, first-year compliance was extremely difficult and costly.
SOX 404 was new and there was little guidance available, which led
to varying interpretations of Audit Standard No. 2 from the Public
Company Accounting Oversight Board (PCAOB). Many companies wanted to
avoid material weaknesses at all cost, so they tended to err on the
side of conservatism when it came to testing and remediation. In
addition, few companies used a risk-based approach to scope their
compliance program, which led to a large number of internal controls
documented for compliance purposes and, therefore, a large volume of
testing required on those controls.
Recently, the Securities and Exchange Commission (SEC) proposed
additional guidance on ways to improve the implementation of SOX 404
compliance . While this proposed guidance is not yet finalized,
there are practical approaches companies can take today to address
common issues related to complying with SOX 404. We refer to this as
an enterprise-wide control rationalization approach.
Control rationalization is a continuous, programmatic approach to
streamlining a company’s internal controls over financial reporting.
Applied in steps, it starts with identifying and ranking risks and
then uses a methodical approach to apply an effective and efficient
set of controls to mitigate these risks. For these controls,
risk-based considerations are also used to drive efficiency in
testing. Opportunities for improving overall control design are
targeted as well, such as redesigning controls, automating controls
and processes, and consolidating redundant controls and processes.
In this way, control rationalization can not only help immediately
reduce compliance costs, but can also position your company to
effectively manage its ongoing compliance risk.
The control
rationalization approach
is based on two principles (SEE FIGURE 1):
-
A top-down, risk based approach. Not all accounts, transactions and
risks are equally important from an internal control perspective.
Indiscriminately treating all controls as equal wastes time and
money. Control rationalization helps you realistically assess the
risks and determine the appropriate amount of effort to expend on
each area.
-
A lean and balanced control design. During the first year of SOX 404
compliance, many companies tested a large number of transactional
controls as a result of a bloated control structure (see figure 1).
Control rationalization applies an enhanced understanding of your
financial reporting risk profile to help you leverage higher-level
(company level) controls to drive compliance efficiencies and reduce
risk.
Examples
Category 1:
company-level controls (e.g.,
control environment, period end financial reporting, anti-fraud
programs)
Category 2:
general computer controls (GCCs),
controls over non-routine accounts & accounts with significant
judgment, controls over other high-risk areas
Category 3:
controls over routine,
transactional processing
The control
rationalization approach
consists of four phases (see figure 2):
Apply a top-down risk based approach to re-scoping. In phase 1,
begin with a detailed risk assessment to identify and understand
your company’s financial reporting risks: start with company-level
controls and proceed down to the identification of significant
accounts, key groups of transactions and related processes and
individual controls, including key IT systems and general computer
control environments.
Rationalize existing controls and redesign test plans. In phase 2,
both process-level and general computer controls are rationalized
and test plans are redesigned to focus the majority of the testing
effort on the higher risk controls. In this phase, opportunities to
improve and enhance control design are identified and a rationalized
set of controls for compliance testing purposes is developed. The
overall testing approach should also be analyzed to facilitate
maximum reliance by the external auditors and align with other
testing efforts of the company.
Leverage automated controls and enabling technology. In phase 3,
companies begin automating controls by leveraging unused
functionality that may already reside in existing applications or
Enterprise Resource Planning (ERP) systems and/or by implementing
new tools, such as continuous controls monitoring tools. The
fundamental objective is to reduce the risks and costs associated
with manual controls.
Standardize and centralize processes. A typical reason for the
bloated triangle in figure 1 is the unnecessary complexity around
systems, processes and locations for many companies. Typical
activities in phase 4 include consolidating ERP systems,
standardizing business activities, and deploying shared services.
The potential value derived from these activities extends beyond
compliance into operational efficiencies and strategic improvements,
and any investment in these areas likely cannot be justified
entirely on the basis of compliance. However, centralization offers
the type of scale that enables companies to deploy controls related
technology efficiently and in doing so help create a sustainable
internal control program.
The work in phases 1 and 2 is tactical and can result in some "quick
hit" improvements in approach and ultimately result in cost savings.
These typically can be accomplished through a series of focused
workshops with key business and information technology resources.
Phases 3 and 4 are more strategic in nature and will require a more
significant investment to realize the return on investment; yet, at
the same time, the return can be substantial and enduring.
Don’t forget that throughout any process of refining and
rationalizing your control structure, there should be multiple
checkpoints with the external auditors to make sure they are in
agreement with the approach and changes made. This way, you can
incorporate their feedback during the process rather than after the
effort is complete. Choosing to implement the control
rationalization approach offers many potential benefits to your
compliance process:
